I definitely support a more secure default and would not only disable SSLv3 I have been using the following ssl.conf settings since about 2 years for about anything. Gets me an A+ rating on Qualys and only kicks veeeery old clients, like Android...

There isn’t a central point where this policy is enforced. Every service has its implementation.

From the UI point of view it is the same. Whilst the Email page could be good for Postfix, there’s no suitable page for Apache. If the opt-out is an edge-case, I’d prefer a documented procedure instead of putting a checkbox in a remote edge of the screen.

Maybe i’m wrong, but as for law you have to choose the highest encrypt, therefore choose a weaker one should not be an option.

The problem is that older browsers/operating systems may not support the newer protocols and cipher suites, and some folks may need to work with those users. If we update the defaults (which I think we should), we should also provide a reasonably-accessible means of reverting them for compatibility with older software.

I’d also be hesitant about addressing compliance with any regulatory scheme in any but the most generic terms. I’d think a better path would be to say what the configuration is ("by default, Nethserver enables TLS 1.1 and later with the following cipher suites: "), and leave it to the user to ascertain whether this meets their needs.

The problem is that older browsers/operating systems may not support the newer protocols and cipher suites, and some folks may need to work with those users.

You’re “tech-a-like” right.
But this kind of law (GDPR) attributes you liability if you don’t choose the safest/less vulnerable/newer and more secure option.
So… if the tech issue is outside your pertinency, liability is outside. If you choose to allow not safest (latest) software to connect, it’s your liability.

Therefore, the default should be most restrictive, and consequently, an unsafe option as a possibility, but not the first one.

As to which services to harden, I’d say that if a service supports TLS, we should give the ability to use that. I’m fine with setting (reasonable) secure defaults, but we should give the (easy) ability to roll back to more-compatible settings.

Yes, please change the defaults to be encrypted by default, and that means goating people to a letsencrypt certificate as well.

This would make me find a way to stop by and say hello to you guys, and ask whom to kiss. So it may be a double edged sword there … older browsers and os-es should not be considdered in the default and should be discouraged against.

Not doing so essentially helps malicious people to take advantage of users that have to rely on lazy sysadmins who didnt think about security or warning their users. It should be easy to enable the legacy stuff anyway, with a huge red banner filled with implications, but that should be a very deliberate action.

I did some tests about to test ssl certificates with ssllabs and apache, the breaking change is rather on the protocol limited we can use. Sure if we force only tls1.2 we have a A but we miss some clients (android2 and XP/IE{6,7,8})

I don’t think we can go to the most secure way and refuse older client like the modern way proposes but I feel that we should offer the most security method without possibility to reduce it.
actually I have found this, let talk of it

IE 8 not supported anymore => out of GDPR
Win XP not supported anymore => out of GDPR
Android 2 not supported anymore => out of GDPR.

I’m not telling that i like to be on this razor edge, and behave just like the main QMail developer, but at least by my perspective, if NethServer needs to be GDPR compliant, the project should cut the rope and let obsolete and unsupported software to be kept outside.

Therefore, if the unsupported software (uncompliant to strong cyphers) will be able to connect to the server, liability falls on sysadmin’s head.